1/*
2 * Copyright (c) 2000-2004,2011,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * CertExtensions.h -- X.509 Cert Extensions as C structs
24 */
25
26#ifndef	_CERT_EXTENSIONS_H_
27#define _CERT_EXTENSIONS_H_
28
29#include <Security/cssmtype.h>
30
31/***
32 *** Structs for declaring extension-specific data.
33 ***/
34
35/*
36 * GeneralName, used in AuthorityKeyID, SubjectAltName, and
37 * IssuerAltName.
38 *
39 * For now, we just provide explicit support for the types which are
40 * represented as IA5Strings, OIDs, and octet strings. Constructed types
41 * such as EDIPartyName and x400Address are not explicitly handled
42 * right now and must be encoded and decoded by the caller. (See exception
43 * for Name and OtherName, below). In those cases the CE_GeneralName.name.Data field
44 * represents the BER contents octets; CE_GeneralName.name.Length is the
45 * length of the contents; the tag of the field is not needed - the BER
46 * encoding uses context-specific implicit tagging. The berEncoded field
47 * is set to CSSM_TRUE in these case. Simple types have berEncoded = CSSM_FALSE.
48 *
49 * In the case of a GeneralName in the form of a Name, we parse the Name
50 * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the
51 * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
52 * sizeof(CSSM_X509_NAME). In this case berEncoded is false.
53 *
54 * In the case of a GeneralName in the form of a OtherName, we parse the fields
55 * into a CE_OtherName and place a pointer to the CE_OtherName in the
56 * CE_GeneralName.name.Data field. CE_GeneralName.name.Length is set to
57 * sizeof(CE_OtherName). In this case berEncoded is false.
58 *
59 *      GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
60 *
61 *      GeneralName ::= CHOICE {
62 *           otherName                       [0]     OtherName
63 *           rfc822Name                      [1]     IA5String,
64 *           dNSName                         [2]     IA5String,
65 *           x400Address                     [3]     ORAddress,
66 *           directoryName                   [4]     Name,
67 *           ediPartyName                    [5]     EDIPartyName,
68 *           uniformResourceIdentifier       [6]     IA5String,
69 *           iPAddress                       [7]     OCTET STRING,
70 *           registeredID                    [8]     OBJECT IDENTIFIER}
71 *
72 *      OtherName ::= SEQUENCE {
73 *           type-id    OBJECT IDENTIFIER,
74 *           value      [0] EXPLICIT ANY DEFINED BY type-id }
75 *
76 *      EDIPartyName ::= SEQUENCE {
77 *           nameAssigner            [0]     DirectoryString OPTIONAL,
78 *           partyName               [1]     DirectoryString }
79 */
80typedef enum __CE_GeneralNameType {
81	GNT_OtherName = 0,
82	GNT_RFC822Name,
83	GNT_DNSName,
84	GNT_X400Address,
85	GNT_DirectoryName,
86	GNT_EdiPartyName,
87	GNT_URI,
88	GNT_IPAddress,
89	GNT_RegisteredID
90} CE_GeneralNameType;
91
92typedef struct __CE_OtherName {
93	CSSM_OID				typeId;
94	CSSM_DATA				value;		// unparsed, BER-encoded
95} CE_OtherName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
96
97typedef struct __CE_GeneralName {
98	CE_GeneralNameType		nameType;	// GNT_RFC822Name, etc.
99	CSSM_BOOL				berEncoded;
100	CSSM_DATA				name;
101} CE_GeneralName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
102
103typedef struct __CE_GeneralNames {
104	uint32					numNames;
105	CE_GeneralName			*generalName;
106} CE_GeneralNames DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
107
108/*
109 * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }
110 *
111 *   AuthorityKeyIdentifier ::= SEQUENCE {
112 *     keyIdentifier             [0] KeyIdentifier           OPTIONAL,
113 *     authorityCertIssuer       [1] GeneralNames            OPTIONAL,
114 *     authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
115 *
116 *   KeyIdentifier ::= OCTET STRING
117 *
118 * CSSM OID = CSSMOID_AuthorityKeyIdentifier
119 */
120typedef struct __CE_AuthorityKeyID {
121	CSSM_BOOL			keyIdentifierPresent;
122	CSSM_DATA			keyIdentifier;
123	CSSM_BOOL			generalNamesPresent;
124	CE_GeneralNames		*generalNames;
125	CSSM_BOOL			serialNumberPresent;
126	CSSM_DATA			serialNumber;
127} CE_AuthorityKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
128
129/*
130 * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }
131 *   SubjectKeyIdentifier ::= KeyIdentifier
132 *
133 * CSSM OID = CSSMOID_SubjectKeyIdentifier
134 */
135typedef CSSM_DATA CE_SubjectKeyID DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
136
137/*
138 * id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
139 *
140 *     KeyUsage ::= BIT STRING {
141 *          digitalSignature        (0),
142 *          nonRepudiation          (1),
143 *          keyEncipherment         (2),
144 *          dataEncipherment        (3),
145 *          keyAgreement            (4),
146 *          keyCertSign             (5),
147 *          cRLSign                 (6),
148 *          encipherOnly            (7),
149 *          decipherOnly            (8) }
150 *
151 * CSSM OID = CSSMOID_KeyUsage
152 *
153 */
154typedef uint16 CE_KeyUsage DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
155
156#define CE_KU_DigitalSignature	0x8000
157#define CE_KU_NonRepudiation	0x4000
158#define CE_KU_KeyEncipherment	0x2000
159#define CE_KU_DataEncipherment	0x1000
160#define CE_KU_KeyAgreement		0x0800
161#define CE_KU_KeyCertSign	 	0x0400
162#define CE_KU_CRLSign			0x0200
163#define CE_KU_EncipherOnly	 	0x0100
164#define CE_KU_DecipherOnly	 	0x0080
165
166/*
167 *  id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 }
168 *
169 *   -- reasonCode ::= { CRLReason }
170 *
171 *   CRLReason ::= ENUMERATED {
172 *  	unspecified             (0),
173 *      keyCompromise           (1),
174 *     	cACompromise            (2),
175 *    	affiliationChanged      (3),
176 *   	superseded              (4),
177 *  	cessationOfOperation    (5),
178 * 		certificateHold         (6),
179 *		removeFromCRL           (8) }
180 *
181 * CSSM OID = CSSMOID_CrlReason
182 *
183 */
184typedef uint32 CE_CrlReason DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
185
186#define CE_CR_Unspecified			0
187#define CE_CR_KeyCompromise			1
188#define CE_CR_CACompromise			2
189#define CE_CR_AffiliationChanged	3
190#define CE_CR_Superseded			4
191#define CE_CR_CessationOfOperation	5
192#define CE_CR_CertificateHold		6
193#define CE_CR_RemoveFromCRL	 		8
194
195/*
196 * id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
197 *
198 *      SubjectAltName ::= GeneralNames
199 *
200 * CSSM OID = CSSMOID_SubjectAltName
201 *
202 * GeneralNames defined above.
203 */
204
205/*
206 *  id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
207 *
208 *   ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId*
209 *
210 *  KeyPurposeId ::= OBJECT IDENTIFIER
211 *
212 * CSSM OID = CSSMOID_ExtendedKeyUsage
213 */
214typedef struct __CE_ExtendedKeyUsage {
215	uint32			numPurposes;
216	CSSM_OID_PTR	purposes;		// in Intel pre-encoded format
217} CE_ExtendedKeyUsage;
218
219/*
220 * id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
221 *
222 * BasicConstraints ::= SEQUENCE {
223 *       cA                      BOOLEAN DEFAULT FALSE,
224 *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
225 *
226 * CSSM OID = CSSMOID_BasicConstraints
227 */
228typedef struct __CE_BasicConstraints {
229	CSSM_BOOL			cA;
230	CSSM_BOOL			pathLenConstraintPresent;
231	uint32				pathLenConstraint;
232} CE_BasicConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
233
234/*
235 * id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }
236 *
237 *   certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
238 *
239 *   PolicyInformation ::= SEQUENCE {
240 *        policyIdentifier   CertPolicyId,
241 *        policyQualifiers   SEQUENCE SIZE (1..MAX) OF
242 *                                PolicyQualifierInfo OPTIONAL }
243 *
244 *   CertPolicyId ::= OBJECT IDENTIFIER
245 *
246 *   PolicyQualifierInfo ::= SEQUENCE {
247 *        policyQualifierId  PolicyQualifierId,
248 *        qualifier          ANY DEFINED BY policyQualifierId }
249 *
250 *   -- policyQualifierIds for Internet policy qualifiers
251 *
252 *   id-qt          OBJECT IDENTIFIER ::=  { id-pkix 2 }
253 *   id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
254 *   id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
255 *
256 *   PolicyQualifierId ::=
257 *        OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
258 *
259 *   Qualifier ::= CHOICE {
260 *        cPSuri           CPSuri,
261 *        userNotice       UserNotice }
262 *
263 *   CPSuri ::= IA5String
264 *
265 *   UserNotice ::= SEQUENCE {
266 *        noticeRef        NoticeReference OPTIONAL,
267 *        explicitText     DisplayText OPTIONAL}
268 *
269 *   NoticeReference ::= SEQUENCE {
270 *        organization     DisplayText,
271 *        noticeNumbers    SEQUENCE OF INTEGER }
272 *
273 *   DisplayText ::= CHOICE {
274 *        visibleString    VisibleString  (SIZE (1..200)),
275 *        bmpString        BMPString      (SIZE (1..200)),
276 *        utf8String       UTF8String     (SIZE (1..200)) }
277 *
278 *  CSSM OID = CSSMOID_CertificatePolicies
279 *
280 * We only support down to the level of Qualifier, and then only the CPSuri
281 * choice. UserNotice is transmitted to and from this library as a raw
282 * CSSM_DATA containing the BER-encoded UserNotice sequence.
283 */
284
285typedef struct __CE_PolicyQualifierInfo {
286	CSSM_OID	policyQualifierId;			// CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE
287	CSSM_DATA	qualifier;					// CSSMOID_QT_CPS: IA5String contents
288											// CSSMOID_QT_UNOTICE : Sequence contents
289} CE_PolicyQualifierInfo DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
290
291typedef struct __CE_PolicyInformation {
292	CSSM_OID				certPolicyId;
293	uint32					numPolicyQualifiers;	// size of *policyQualifiers;
294	CE_PolicyQualifierInfo	*policyQualifiers;
295} CE_PolicyInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
296
297typedef struct __CE_CertPolicies {
298	uint32					numPolicies;			// size of *policies;
299	CE_PolicyInformation	*policies;
300} CE_CertPolicies DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
301
302/*
303 * netscape-cert-type, a bit string.
304 *
305 * CSSM OID = CSSMOID_NetscapeCertType
306 *
307 * Bit fields defined in oidsattr.h: CE_NCT_SSL_Client, etc.
308 */
309typedef uint16 CE_NetscapeCertType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
310
311/*
312 * CRLDistributionPoints.
313 *
314 *   id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 }
315 *
316 *   cRLDistributionPoints ::= {
317 *        CRLDistPointsSyntax }
318 *
319 *   CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
320 *
321 *   NOTE: RFC 2459 claims that the tag for the optional DistributionPointName
322 *   is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be -
323 *   because the underlying type also uses an implicit tag for distinguish
324 *   between CHOICEs.
325 *
326 *   DistributionPoint ::= SEQUENCE {
327 *        distributionPoint       [0]     DistributionPointName OPTIONAL,
328 *        reasons                 [1]     ReasonFlags OPTIONAL,
329 *        cRLIssuer               [2]     GeneralNames OPTIONAL }
330 *
331 *   DistributionPointName ::= CHOICE {
332 *        fullName                [0]     GeneralNames,
333 *        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
334 *
335 *   ReasonFlags ::= BIT STRING {
336 *        unused                  (0),
337 *        keyCompromise           (1),
338 *        cACompromise            (2),
339 *        affiliationChanged      (3),
340 *        superseded              (4),
341 *        cessationOfOperation    (5),
342 *        certificateHold         (6) }
343 *
344 * CSSM OID = CSSMOID_CrlDistributionPoints
345 */
346
347/*
348 * Note that this looks similar to CE_CrlReason, but that's an enum and this
349 * is an OR-able bit string.
350 */
351typedef uint8 CE_CrlDistReasonFlags DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
352
353#define CE_CD_Unspecified			0x80
354#define CE_CD_KeyCompromise			0x40
355#define CE_CD_CACompromise			0x20
356#define CE_CD_AffiliationChanged	0x10
357#define CE_CD_Superseded			0x08
358#define CE_CD_CessationOfOperation	0x04
359#define CE_CD_CertificateHold		0x02
360
361typedef enum __CE_CrlDistributionPointNameType {
362	CE_CDNT_FullName,
363	CE_CDNT_NameRelativeToCrlIssuer
364} CE_CrlDistributionPointNameType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
365
366typedef struct __CE_DistributionPointName {
367	CE_CrlDistributionPointNameType		nameType;
368	union {
369		CE_GeneralNames					*fullName;
370		CSSM_X509_RDN_PTR				rdn;
371	} dpn;
372} CE_DistributionPointName DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
373
374/*
375 * The top-level CRLDistributionPoint.
376 * All fields are optional; NULL pointers indicate absence.
377 */
378typedef struct __CE_CRLDistributionPoint {
379	CE_DistributionPointName			*distPointName;
380	CSSM_BOOL							reasonsPresent;
381	CE_CrlDistReasonFlags				reasons;
382	CE_GeneralNames						*crlIssuer;
383} CE_CRLDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
384
385typedef struct __CE_CRLDistPointsSyntax {
386	uint32								numDistPoints;
387	CE_CRLDistributionPoint				*distPoints;
388} CE_CRLDistPointsSyntax DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
389
390/*
391 * Authority Information Access and Subject Information Access.
392 *
393 * CSSM OID = CSSMOID_AuthorityInfoAccess
394 * CSSM OID = CSSMOID_SubjectInfoAccess
395 *
396 * SubjAuthInfoAccessSyntax  ::=
397 *		SEQUENCE SIZE (1..MAX) OF AccessDescription
398 *
399 * AccessDescription  ::=  SEQUENCE {
400 *		accessMethod          OBJECT IDENTIFIER,
401 *		accessLocation        GeneralName  }
402 */
403typedef struct __CE_AccessDescription {
404	CSSM_OID				accessMethod;
405	CE_GeneralName			accessLocation;
406} CE_AccessDescription DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
407
408typedef struct __CE_AuthorityInfoAccess {
409	uint32					numAccessDescriptions;
410	CE_AccessDescription	*accessDescriptions;
411} CE_AuthorityInfoAccess DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
412
413/*
414 * Qualified Certificate Statement support, per RFC 3739.
415 *
416 * First, NameRegistrationAuthorities, a component of
417 * SemanticsInformation; it's the same as a GeneralNames -
418 * a sequence of GeneralName.
419 */
420typedef CE_GeneralNames CE_NameRegistrationAuthorities DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
421
422/*
423 * SemanticsInformation, identified as the qcType field
424 * of a CE_QC_Statement for statementId value id-qcs-pkixQCSyntax-v2.
425 * Both fields optional; at least one must be present.
426 */
427typedef struct __CE_SemanticsInformation {
428	CSSM_OID							*semanticsIdentifier;
429	CE_NameRegistrationAuthorities		*nameRegistrationAuthorities;
430} CE_SemanticsInformation DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
431
432/*
433 * One Qualified Certificate Statement.
434 * The statementId OID is required; zero or one of {semanticsInfo,
435 * otherInfo} can be valid, depending on the value of statementId.
436 * For statementId id-qcs-pkixQCSyntax-v2 (CSSMOID_OID_QCS_SYNTAX_V2),
437 * the semanticsInfo field may be present; otherwise, DER-encoded
438 * information may be present in otherInfo. Both semanticsInfo and
439 * otherInfo are optional.
440 */
441typedef struct __CE_QC_Statement {
442	CSSM_OID							statementId;
443	CE_SemanticsInformation				*semanticsInfo;
444	CSSM_DATA							*otherInfo;
445} CE_QC_Statement DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
446
447/*
448 * The top-level Qualified Certificate Statements extension.
449 */
450typedef struct __CE_QC_Statements {
451	uint32								numQCStatements;
452	CE_QC_Statement						*qcStatements;
453} CE_QC_Statements DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
454
455/*** CRL extensions ***/
456
457/*
458 * cRLNumber, an integer.
459 *
460 * CSSM OID = CSSMOID_CrlNumber
461 */
462typedef uint32 CE_CrlNumber;
463
464/*
465 * deltaCRLIndicator, an integer.
466 *
467 * CSSM OID = CSSMOID_DeltaCrlIndicator
468 */
469typedef uint32 CE_DeltaCrl;
470
471/*
472 * IssuingDistributionPoint
473 *
474 * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
475 *
476 * issuingDistributionPoint ::= SEQUENCE {
477 *      distributionPoint       [0] DistributionPointName OPTIONAL,
478 *		onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
479 *      onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
480 *      onlySomeReasons         [3] ReasonFlags OPTIONAL,
481 *      indirectCRL             [4] BOOLEAN DEFAULT FALSE }
482 *
483 * CSSM OID = CSSMOID_IssuingDistributionPoint
484 */
485typedef struct __CE_IssuingDistributionPoint {
486	CE_DistributionPointName	*distPointName;		// optional
487	CSSM_BOOL					onlyUserCertsPresent;
488	CSSM_BOOL					onlyUserCerts;
489	CSSM_BOOL					onlyCACertsPresent;
490	CSSM_BOOL					onlyCACerts;
491	CSSM_BOOL					onlySomeReasonsPresent;
492	CE_CrlDistReasonFlags		onlySomeReasons;
493	CSSM_BOOL					indirectCrlPresent;
494	CSSM_BOOL					indirectCrl;
495} CE_IssuingDistributionPoint DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
496
497/*
498 * NameConstraints
499 *
500 * id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }
501 *
502 *     NameConstraints ::= SEQUENCE {
503 *          permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
504 *          excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
505 *
506 *     GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
507 *
508 *     GeneralSubtree ::= SEQUENCE {
509 *          base                    GeneralName,
510 *          minimum         [0]     BaseDistance DEFAULT 0,
511 *          maximum         [1]     BaseDistance OPTIONAL }
512 *
513 *     BaseDistance ::= INTEGER (0..MAX)
514 */
515typedef struct __CE_GeneralSubtree {
516	CE_GeneralNames						*base;
517	uint32								minimum; // default=0
518	CSSM_BOOL							maximumPresent;
519	uint32								maximum; // optional
520} CE_GeneralSubtree DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
521
522typedef struct __CE_GeneralSubtrees {
523	uint32								numSubtrees;
524	CE_GeneralSubtree					*subtrees;
525} CE_GeneralSubtrees DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
526
527typedef struct __CE_NameConstraints {
528	CE_GeneralSubtrees					*permitted; // optional
529	CE_GeneralSubtrees					*excluded;  // optional
530} CE_NameConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
531
532/*
533 * PolicyMappings
534 *
535 * id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }
536 *
537 *     PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
538 *          issuerDomainPolicy      CertPolicyId,
539 *          subjectDomainPolicy     CertPolicyId }
540 *
541 * Note that both issuer and subject policy OIDs are required,
542 * and are stored by value in this structure.
543 */
544typedef struct __CE_PolicyMapping {
545	CSSM_OID							issuerDomainPolicy;
546	CSSM_OID							subjectDomainPolicy;
547} CE_PolicyMapping DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
548
549typedef struct __CE_PolicyMappings {
550	uint32								numPolicyMappings;
551	CE_PolicyMapping					*policyMappings;
552} CE_PolicyMappings DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
553
554/*
555 * PolicyConstraints
556 *
557 * id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }
558 *
559 *     PolicyConstraints ::= SEQUENCE {
560 *          requireExplicitPolicy   [0]     SkipCerts OPTIONAL,
561 *          inhibitPolicyMapping    [1]     SkipCerts OPTIONAL }
562 *
563 *      SkipCerts ::= INTEGER (0..MAX)
564 */
565typedef struct __CE_PolicyConstraints {
566	CSSM_BOOL							requireExplicitPolicyPresent;
567	uint32								requireExplicitPolicy; // optional
568	CSSM_BOOL							inhibitPolicyMappingPresent;
569	uint32								inhibitPolicyMapping;  // optional
570} CE_PolicyConstraints DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
571
572/*
573 * InhibitAnyPolicy, an integer.
574 *
575 * CSSM OID = CSSMOID_InhibitAnyPolicy
576 */
577typedef uint32 CE_InhibitAnyPolicy DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
578
579/*
580 * An enumerated list identifying one of the above per-extension
581 * structs.
582 */
583typedef enum __CE_DataType {
584	DT_AuthorityKeyID,			// CE_AuthorityKeyID
585	DT_SubjectKeyID,			// CE_SubjectKeyID
586	DT_KeyUsage,				// CE_KeyUsage
587	DT_SubjectAltName,			// implies CE_GeneralName
588	DT_IssuerAltName,			// implies CE_GeneralName
589	DT_ExtendedKeyUsage,		// CE_ExtendedKeyUsage
590	DT_BasicConstraints,		// CE_BasicConstraints
591	DT_CertPolicies,			// CE_CertPolicies
592	DT_NetscapeCertType,		// CE_NetscapeCertType
593	DT_CrlNumber,				// CE_CrlNumber
594	DT_DeltaCrl,				// CE_DeltaCrl
595	DT_CrlReason,				// CE_CrlReason
596	DT_CrlDistributionPoints,	// CE_CRLDistPointsSyntax
597	DT_IssuingDistributionPoint,// CE_IssuingDistributionPoint
598	DT_AuthorityInfoAccess,		// CE_AuthorityInfoAccess
599	DT_Other,					// unknown, raw data as a CSSM_DATA
600	DT_QC_Statements,			// CE_QC_Statements
601	DT_NameConstraints,			// CE_NameConstraints
602	DT_PolicyMappings,			// CE_PolicyMappings
603	DT_PolicyConstraints,		// CE_PolicyConstraints
604	DT_InhibitAnyPolicy			// CE_InhibitAnyPolicy
605} CE_DataType;
606
607/*
608 * One unified representation of all the cert and CRL extensions we know about.
609 */
610typedef union {
611	CE_AuthorityKeyID			authorityKeyID;
612	CE_SubjectKeyID				subjectKeyID;
613	CE_KeyUsage					keyUsage;
614	CE_GeneralNames				subjectAltName;
615	CE_GeneralNames				issuerAltName;
616	CE_ExtendedKeyUsage			extendedKeyUsage;
617	CE_BasicConstraints			basicConstraints;
618	CE_CertPolicies				certPolicies;
619	CE_NetscapeCertType			netscapeCertType;
620	CE_CrlNumber				crlNumber;
621	CE_DeltaCrl					deltaCrl;
622	CE_CrlReason				crlReason;
623	CE_CRLDistPointsSyntax		crlDistPoints;
624	CE_IssuingDistributionPoint	issuingDistPoint;
625	CE_AuthorityInfoAccess		authorityInfoAccess;
626	CE_QC_Statements			qualifiedCertStatements;
627	CE_NameConstraints			nameConstraints;
628	CE_PolicyMappings			policyMappings;
629	CE_PolicyConstraints		policyConstraints;
630	CE_InhibitAnyPolicy			inhibitAnyPolicy;
631	CSSM_DATA					rawData;			// unknown, not decoded
632} CE_Data DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
633
634typedef struct __CE_DataAndType {
635	CE_DataType				type;
636	CE_Data					extension;
637	CSSM_BOOL				critical;
638} CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
639
640#endif	/* _CERT_EXTENSIONS_H_ */
641